Network Security: Don't Forget The Vending Machine

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.bsminfo.com/doc/network-security-don-t-forget-the-vending-machine-0001

Security experts have speculated that the recent uptick in cyber attacks
could be related to remotely monitored third-party sources such as vending
machines and air conditioners, a New York Times article reports.

Such security breaches are possible when a company’s devices are managed by
software directly connected to its network — such as air conditioning that
can be monitored or managed remotely. If hackers are able to access one
system, then they have the potential to access all other connected systems.
This was the case in the recent Target security breach.

Billy Rios, director of threat intelligence at security firm Qualys, tells
the New York Times that it is common for companies to connect their air
conditioning systems to the same network as their databases containing
sensitive information— including customer credit cards.

George Kurtz, chief officer of security firm Crowdstrike, explains that
hackers choose third-party sources as targets because companies generally
don’t think to look there for evidence of an attack. These sources are also
targeted because they often operate on older systems, such as the
no-longer-supported Microsoft Windows XP software, allowing hackers to gain
access through weak spots and remain undetected. Security experts say that,
in many cases, these devices are delivered with security settings defaulted
to “off.”

Experts estimate that anywhere between one to three quarters of security
breaches occur when companies do not take proper security measures for
these third-party sources. The Ponemon Institute, a security research firm,
revealed in a February 2013 study that 23 percent of respondents’ breaches
were attributed to “third-party mistakes or negligence.” Arabella
Hallawell, vice president of strategy at network security firm Arbor
Networks, told theNew York Times that she estimates 70 percent of the
company’s reviewed breaches were related to third-party suppliers.

Similarly, a Bloomberg Businessweek investigation of the Target breach
published last month reported that Target’s security team neglected alerts
that identified suspicious activity.

In addition to negligence of third-party security, some victims are not
able to find the source of these attacks. According to the Ponemon survey,
this was the case in 28 percent of respondents’ security breaches.

If you do not manage connections to third-party systems for your client,
ask if adequate security measures have been taken — or investigate, if your
client doesn’t know. You might close a vulnerable, overlooked way in for
cybercriminals.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!